The Rise of AI Scribes: Balancing Efficiency With Privacy in Canadian Health Care

To listen to an audio recording of this article, click here.

Artificial intelligence (“AI”) scribes are emerging as a potential solution to Canada’s primary health care crisis. These tools use generative AI to transcribe and summarize clinical conversations, producing notes, referrals, prescriptions and other documentation that are integrated with electronic medical records. In Ontario and across Canada, interest in AI scribes is accelerating, supported by programs such as those led by OntarioMD (with the Ministry of Health and Supply Ontario) and Women’s College Hospital Institute for Health System Solutions and Virtual Care (with Canada Health Infoway).

On January 28, 2026, the Office of the Information and Privacy Commissioner for British Columbia (“OIPC‑BC”) and the Information and Privacy Commissioner of Ontario (“IPC-ON”) each released non-binding guidance to support health care providers in adopting AI scribes responsibly. Although the two regulators operate under different statutes and address different stakeholders, their guidance shares a common message: AI scribes, despite their potential benefits, introduce substantial privacy and data security risks that must be managed proactively.

This article summarizes the relevant privacy frameworks and highlights best practices from both sets of guidance for health care providers and organizations (“HCPs”).

British Columbia

OIPC-BC’s recent guidance addresses individual practices, clinics and other entities providing health services outside of a “public body” (public bodies such as public hospitals or local health authorities are subject to a different law). Before using an AI scribe to collect, use or disclose personal information, HCPs must ensure they have the authority to do so under B.C.’s Personal Information Protection Act (“PIPA”). Unlike Ontario, PIPA does not distinguish personal health information as a subset of personal information (“PI”).

HCPs under PIPA cannot defer their privacy responsibilities to a vendor: HCPs are ultimately responsible for the PI they collect, use and disclose, even when such actions are through a third-party vendor or agent.

Although targeted opportunities for rural medicine practitioners and Doctors of BC’s AI scribe pilot program indicate cautious yet growing adoption in AI scribes, the province does not have a centralized procurement process. Thus, it is essential that HCPs carefully scrutinize the policies and procedures that a vendor has in place. Key considerations when evaluating a potential AI scribe vendor include:

1. Types of personal information: Identify what types of PI (including about patients, clinicians and employees) will be collected, used and disclosed by the vendor. Determine whether the vendor limits collection to the minimum necessary to fulfil the stated purposes.
2. Secondary use: Assess whether the vendor uses PI or “de-identified” information (see note below) for secondary purposes such as model training.
3. Third-party disclosures: Confirm whether PI or de-identified information is shared with third parties and, if so, for what purpose.
4. Data hosting: Understand where PI is stored and processed. If outside Canada, evaluate the adequacy of foreign privacy protections.
5. Data storage and retention: Review how long PI or de‑identified data is retained. Does the vendor destroy audio recordings after generating transcripts? Consider whether all records created by the AI scribe need to be retained in light of the data minimization principle (see Ontario discussion below for more information).
6. Breach notification: Ensure the vendor is obliged to report privacy breaches to the organization.
7. Data security: Understand the protections the vendor has in place to protect PI, including independent audits or compliance with third-party certifications (e.g., SOC2 Type II, ISO/IEC 27001).
8. Data deletion and correction: Verify that the HCP can modify or delete AI‑generated records.
9. Future-proofing: Determine what happens to PI and derived de-identified information when the contract ends or if there is a material change in the vendor’s business structure (e.g., bankruptcy, merger with or acquisition by another company).

Aside from Quebec, note that there is no standard definition of “ de-identified” information in B.C.’s PIPA, Ontario’s Personal Health Information Protection Act or in Canada’s federal privacy laws. De-identified information may still be considered PI if capable of identifying an individual when combined with other information.

Ontario

Ontario’s health privacy law, Personal Health Information Protection Act (“PHIPA”), governs the collection, use and disclosure of personal health information (“PHI”) by “health information custodians” – from individual family doctors, clinics and pharmacies to public and private hospitals and long-term care homes. As custodians, HCPs must have information practices in place that comply with the requirements set out in PHIPA and its regulations.

As noted above, Ontario has taken a more centralized approach to AI scribe adoption. OntarioMD, the Ministry of Health and the Canadian Medical Protective Association have jointly developed a Vendor of Record (“VOR”) procurement program. As of early 2026, 18 vendors have been approved, with a second intake in progress (see Tender-20123). Applicants are evaluated against requirements related to the medico-legal obligations of medical practitioners and must have in place specific information handling practices (e.g., no secondary uses permitted; all PHI must be stored and processed in Canada with some exceptions; technical information security requirements; data backup and disaster recovery procedures). The comparison table prepared by Supply Ontario is helpful with understanding at-a-glance how the vendors compare.

HCPs benefit by accessing special discounted pricing from approved vendors and the reassurance that these vendors have passed rigorous screening conducted by the government. However, the responsibility ultimately rests with the HCP to ensure that they are using AI scribes in compliance with PHIPA and their professional obligations.

Thus, IPC-ON emphasizes that having a strong governance and accountability framework, and conducting a privacy impact assessment before introducing an AI scribe (or any AI technology), is essential. Further, integrating an AI risk management framework as part of the HCP’s larger risk management can keep AI risks at the forefront of organizational awareness. (For small providers and organizations, the IPC-ON’s “ Privacy Management Handbook for Small Health Care Organizations” provides tailored guidance.)

Once these are in place, best practices for HCPs using an AI scribe include:

1. Accuracy: Records created or altered by an AI scribe should be reviewed for accuracy before they are entered into the patient’s records.
2. Express consent: Obtain express, informed and valid consent prior to using the AI scribe, and document the consent. Provide patients with meaningful information about the AI scribe, as well as the HCP’s purposes for the collection, use and disclosure of PHI through the AI scribe. Note that unreasonable collections, uses or disclosures of PHI can never be valid, even with express consent.
3. Data minimization: Consider whether all records created by the AI scribe (e.g., voice recordings or transcripts) need to be retained – like PIPA, under PHIPA’s data minimization principles, HCPs are only permitted to collect, use or disclose the minimum amount of PHI that is reasonably necessary for the stated purpose. In light of medico-legal obligations, consider whether two documents recording the same visit (e.g., a summary and a transcript/recording) create conflicting or multiple truths, rather than a “ single source (or version) of truth.”
4. Transcripts and voice recordings: Voice biometrics are virtually impossible to be de-identified, and recordings may also include the conversations of those in the surrounding areas if in an open-concept environment.
5. Record retention: HCPs who retain an AI scribe’s recordings and transcripts must ensure that they identify the appropriate retention period under PHIPA and only retain these records for the minimum period necessary to fulfil the purposes for which they were collected. If not retained, ensure such records are destroyed in accordance with PHIPA.
6. Access: Individuals have a right to access and correct their health records, and should be informed that a summary (and a transcript or recording, if retained) exists.
7. Safeguarding: Choose secure transfer and storage mechanisms for AI‑generated data.
8. Transparency: Ensure patients are informed of the HCP’s information handling practices and their rights under PHIPA. Written policies should be easily available and up to date with the information handling practices, the contact information for the responsible person and how to file a complaint to IPC-ON.
9. Active monitoring: Remain vigilant to any potential changes made by the vendor to the AI scribe technology and routinely update organizational policies to ensure they reflect the HCP’s current practices.

While beyond the scope of this article, IPC-ON’s guidance also has a section for developers of AI scribes that HCPs looking to create tools in-house will find useful.

Conclusion

AI scribes offer promising relief from administrative burdens in primary care, but they introduce significant privacy and data security considerations. HCPs must carefully assess AI scribe vendors to ensure compliance with privacy laws and maintain strong governance frameworks once AI scribes are implemented. Furthermore, it is important that HCPs remain alert to “function creep” that may introduce new privacy implications that alter the organization’s original risk assessment. As AI systems become more sophisticated, so too must organizational oversight.

The Privacy & Data Security Group at Aird & Berlis LLP frequently advises public and private organizations on every aspect of complex privacy and data security matters, including emerging technologies such as AI scribes, as well as breach response, regulatory compliance, procurement, transactions and litigation. If you have any questions or require assistance, please contact the author or a member of the group.